Update: exempting two things from WireGuard tunneling

Kalin KOZHUHAROV me.kalin at gmail.com
Mon Mar 5 20:42:25 CET 2018

On Mon, Mar 5, 2018 at 7:59 PM, Nicholas Joll <najoll at posteo.net> wrote:
>     I've tried all sorts of things to answer my own question (the question I asked the list a little while ago; my initial e-mail is appended below) but to no avail. However, I've found something, on the Wireguard list itself, which looks as though it may help - but I do not understand it well enough. Might anyone help? The material I found is located here: https://marc.info/?l=wireguard&m=148813372820847&w=2
May be it was too vague of a question/statement...

> I'd like to exempt two things from WG:
What does exempt mean?
You can "NOT route" packets via a wg interface (fix your routing,
subnets, etc.), or BLOCK packets with a firewall (e.g. nftables,
iptables). 1st is better if possible (requires redesign), 2nd may be
easier. Combining both is the best.

> (1) some samba shares, accessed
> via autofs, which give me enough trouble without having VPN dropouts
> (courtesy of my VPN provider and/or my ISP) as well,
"samba shares" is like "red car"...
there are quite a few protocols involved with them, most of them run
atop UDP and TCP or both.

> (2) Netflix (which I run via a Chrome app).
... cannot help you much here, but I guess it is some tcp, udp and rtp
mix to some large cloud of IPs.

> The samba shares all have fixed IPs and most of
> them are on a single Windows machine, on my home network, and another
> share is to router-attached USB storage (and only works on Samba
> protocol version 1, for some reason; the other shares work on version 3).
draw a map (on paper) or ascii art or something, put some IP
addresses, fake if you are worried.

> I imagine many people will want to do each of these things. There was
> something on the list a long time back, I think, about 2, but it was too
> technical for me to understand. (My VPN and Wireguard knowledge is
> minimal, though I have Bash scripts that put WG up and take it down, and
> tell it which servers(s) to use.)
Those are some (aadvanced) routing rules, you probably can live with
standard, if you can choose the IP addresses/networks you connect to

Really, try to draw a diagram. If you cannot - then it is probably too
complex and wireguard is not gonna help you.


More information about the WireGuard mailing list